Part 1: Getting to grips with US government requests for data

This article was first published in the Privacy Laws & Business International Report, October 2015. www.privacylaws.com

Under the new USA Freedom Act, intelligence agencies must now be more specific when requesting data from private companies. Yuli Takatsuki and Phil Lee report from California.

There are few topics that provoke greater consternation and debate within privacy and data protection circles than the US government's power to access ordinary citizens' electronic communications data in the name of foreign intelligence and national security. In 2013, Edward Snowden's release of NSA material revealing the PRISM surveillance program blew the debate wide open and has been called the most significant leak in US constitutional history. Although much of the information about government surveillance and data collection programs remain classified, what has become apparent is that US government agencies have been pushing their statutory powers to the limit for many years with little to no judicial oversight or executive accountability.

Despite the intense public spotlight that has been shone on these activities, there is still limited knowledge, even amongst lawyers, about the legal mechanisms supporting these disclosure requests. It's not surprising when you delve into the topic and discover the myriad of complex, overlapping legal instruments, rules and executive orders that govern this area of law. This article assumes only a modest task – to provide a very brief introduction to the key legal provisions under which such requests are made – hopefully a starting point for companies that one day receive such a request on their doorstep.

This article is the first of a two-part series. We focus in this first article on the legal powers governing the gathering of US intelligence. The second part – due to be published in the next edition of Privacy Laws & Business – will look at the equivalent provisions in the area of US law enforcement.

FISA was originally enacted in 1978 to govern how the US government can collect foreign intelligence information for the purposes of safeguarding national security.

The Act created the Foreign Intelligence Surveillance Court (the FISA Court) which consists of 11 federal district court judges who are responsible for reviewing US government applications for access to personal data, electronic surveillance and other types of intelligence gathering. Hearings in the FISA Court are off-limits to the general public, rulings are generally classified, and applications for court orders are routinely made ex parte. In addition, companies that are the subject of such orders are prohibited from disclosing any information about the government requests through so-called "gag orders".

Originally, collection of intelligence under FISA had been limited to specific and identified agents of foreign powers. However, over the decades and most notably after 9/11, the US government have stepped up efforts to enhance its ability to gather more widespread intelligence.

This led in 2008 to the FISA Amendments Act. The most controversial provision is section 702, which governs the acquisition by the US government of foreign intelligence information[1] with the assistance of electronic communications service providers. It permits the Attorney General (AG) and Director of National Intelligence (DNI) to authorize the "targeting" of non-US persons (i.e. persons "reasonably believed to be located outside the United States") to obtain foreign intelligence information without any need for an individualized court order. US Persons, on the other hand, are protected by the Fourth Amendment and the government is thus required under sections 703-704 to obtain an approved warrant from the FISA Court before such information is collected. In such a case, the government must demonstrate probable cause before the court will issue an order compelling the disclosure.

Collection of data relating to a non-US person, however, does not require a judicial order. Instead, the FISA Court approves annual "certifications" submitted by the AG and DNI that identify categories of foreign actors and foreign intelligence that may be appropriately targeted. Court review is then limited to the procedures for targeting (i.e. ensuring that non-US persons are being targeted) and minimization (i.e. ensuring that the government does not retain or disseminate material that it was not allowed to collect) rather than the legitimacy of the information collection itself. Once the certification is approved, the government can determine in each case whether the information it seeks falls within the targeting and minimization procedures without further court assessment.

Critics consider section 702 to be particularly intrusive as data collection under this provision can capture not just metadata records, but also the content of communications (including emails, web browsing history, photos/videos/texts, instant messages etc.), as well as authorizing digital surveillance in the form of wiretaps and interceptions of digital communications. The European Parliament has noted that the definition of "foreign intelligence information" under the Act is of such generality that "…from the perspective of non-Americans, it appears that any data of assistance to US foreign policy is eligible, including political surveillance over ordinary lawful democratic activities".[2]

Theoretically, an electronic communications provider who is served with a section 702 order can challenge it. However, in reality, the scope for challenge is very limited and the FISA Court may only grant such a challenge where the request for information has been "unlawful" (a high threshold given the wide discretion the AG and DNI are afforded under the Act). The actual persons whose records are targeted have no right to appear before the FISA Court and targeted persons will generally have no way of knowing their records are the subject of government scrutiny as the intelligence programs are classified.

There is a sunset clause attached to section 702 but it is currently not due to expire until 2017.

2. Executive Order (EO) 12333

Executive orders are issued by the President of the United States and generally instruct government officers and agencies how to conduct and manage their operations.

EO 12333 (commonly referred to as "Twelve-Triple-Three") was signed by Ronald Reagan in 1981 and sets down the legal baseline for what the intelligence community can do and how it operates. It allows the AG to authorize the collection of information outside of the US, including the content of communications data and related metadata, for the purposes of any foreign intelligence investigation. No warrant or court approval is required where the collection takes place outside of the US. Where intelligence collection is within the US, a specific domestic instrument (like FISA) will need to be relied upon, in addition to EO 12333, to legitimize the collection.

There is not a great deal of public information about the application of EO 12333 by the US government but its language is broad and its powers potentially wide-reaching. It is described as a type of 'catch-all' power that may legitimise government surveillance practices that would otherwise not fall within other legal instruments.

Although no longer in force, the USA PATRIOT Act is worth mentioning for its controversial section 215 (known as the "business records" provision) which laid the foundations for the reforms that followed. The Act was adopted in October 2001, six weeks after 9/11. Many opponents have criticised the USA PATRIOT Act for massively expanding the access of law enforcement agencies to business records and permitting the dragnet collection of millions of users' phone and internet records on a daily basis. Even the Congressman who introduced the Act to the House of Representatives, Jim Sensenbrenner, later criticised the intelligence community's "expansive use" of the Act describing its practices as going "far beyond what Congress envisioned or intended to authorize".

Section 215 allowed US government agencies to obtain court orders requiring a business to hand over records or any other "tangible thing" (including books, records, papers, documents, and other items) that was deemed "relevant" to an international terrorism or clandestine intelligence investigation. There were few limits to the government's access and even US persons could fall under its scope (provided that the order did not infringe on any First-Amendment protected activities).

It is said that government agencies were able to obtain records relating to a whole geographic region or entire communications service provider under section 215. In May 2015, however, the collection by the NSA of Verizon's business records relating to the metadata of millions of phone calls was held by the Court of Appeal for the Second Circuit to exceed the scope of the Act. This bulk collection of huge tranches of communications data had been justified by intelligence agencies as the only way to get enough data to allow them to sift through it to find 'connections' (described as the "haystack approach" by critics). The Court held that the government had been over-liberal in its interpretation of "relevance", stating "such an expansive concept of 'relevance' is unprecedented and unwarranted… The statutes to which the government points have never been interpreted to authorize anything approaching the breadth of the sweeping surveillance at issue here".

The USA PATRIOT Act contained a sunset clause which meant it was due to expire in June 2015.

4. The USA FREEDOM Act of 2015 ("Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015")

With this heated background, the seeds had been sown for the enactment of the USA FREEDOM Act. In June 2015, the Senate failed to vote for an extension of the USA PATRIOT Act and so controversial section 215 lapsed. The Senate instead adopted the USA FREEDOM Act, generally considered less invasive and more palatable than the USA PATRIOT Act. The legislation is to remain in effect until December 15, 2019.

The USA FREEDOM Act has modified section 215 so that intelligence agencies must now ask private companies for specific and more focused data relating to an individual allegedly connected to a terrorist group or foreign nation. Although it is not clear how it has been applied in practice, it is said to make the bulk collection of records no longer viable. At the heart of the Act lies the concept of a "specific selection term" – a term that government agencies must now use to limit the scope of records sought and which "specifically identifies an individual account, address or personal device, or any other specific identifier" and "to the greatest extent reasonably practicable" limits "the scope of tangible things sought consistent with the purpose for seeking the tangible things".

The Act also introduced reforms to the FISA Court procedures. Firstly, a special court advocate (amicus curae) who represents public and privacy interests must now be appointed in cases that involve a novel or significant construction of the law. Secondly, all judgments involving a significant construction or interpretation of law must be declassified and made available to the general public (unless the publication would threaten national security, in which case an unclassified summary must be published). To add further transparency, the Act allows companies that are the subject of disclosure orders to publicly report the number of orders they have received (in bands), as well as certain other information such as the number of customer selectors targeted.

Further, the amendments allow the recipient of a business records order to bring a judicial challenge not just to the production part of the order, but also to any prohibition on disclosure contained in it. It has removed a requirement that a judge considering a petition to modify or set aside a nondisclosure order treat as conclusive a certification by the AG or FBI Director that disclosure may endanger national security or interfere with diplomatic relations.

There is no doubt that these represent significant reforms for the data subject – but do they go far enough? The Act was hailed by some as representing a momentous victory for civil liberties but it has been slammed by equally many others for failing to alter the fundamentals. US government agencies can still compel the disclosure of a large amount of electronic communications data without the knowledge of the data subject, without court oversight in most cases, and without a clearly articulated legal standard for 'relevance'. The Act also does nothing to limit the government's right to access the content of communications under s.702 of the FISA Amendments Act and Executive Order 12333.

Is there any protection for non-US persons?

Currently, there is little protection for non-US persons who become the target of such orders. In most cases, the decision whether to release the data to the government agency will lie in the hands of the business that holds the records. Many US tech companies have published statements on their websites explaining how they handle such requests. For example, Google says it will always review a government request for data to ensure it satisfies legal requirements – generally speaking, the request must be made in writing, signed by an authorized official of the requesting agency and must be issued under an appropriate law. If they believe a request is overly broad, they say they will "seek to narrow it". Microsoft[3], Yahoo[4], Apple[5] and Facebook[6] follow similar approaches. However, a successful challenge to such an order is likely to be rare. Aside from this thin layer of protection, there is very little any non-US subject can do.

There is a small glimmer of light for EU citizens. Currently, there appears to be a great level of interest and dialogue at the European parliamentary level about these issues. So far, this has manifested itself in a number of concrete ways:

Firstly, there are certain provisions included in some drafts of the General Data Protection Regulation which impose restrictions on handing over EU personal data in this context. For example, Article 43a of the European Parliament draft prohibits companies from complying with third country government requests for EU personal data unless they have "prior authorisation" from a EU data protection authorities and the request accords with an existing mutual legal assistance treaty or international agreement. However, it isn't clear whether this provision will survive the trialogue debates, or how such a requirement would work in practice without bringing international law enforcement to a grinding standstill.

Negotiations for an "EU-US Umbrella Agreement" were finalised in early September 2015, which puts in place a legal framework for the exchange of personal data between law enforcement authorities. It sets out key principles – e.g. that the data must only be shared for the purposes of investigating crime, onward transfer to a third country must be subject to prior consent from the original law enforcement body etc. Most significantly, it provides EU citizens with the right to seek judicial redress before US courts for privacy breaches, which was not possible before.

The European Court of Justice published its landmark ruling in the Max Schrems case on 6th October 2015, holding that the Safe Harbour Framework was not a valid mechanism for cross-border transfers of EU personal data to the US. The Court held that the transfer of data under the Framework constituted a disproportionate interference with the right to respect for private life as it enabled US public authorities to have access to the content of electronic communications on a wide and generalised basis, without any objective criterion being laid down for determining the limits of the access. It is not yet clear what the wider practical impact of the judgment will be; however, it is no doubt a huge blow to the main legal mechanism in place legitimising such data transfers. The European Commission has said it will issue clear guidance in the coming weeks.

Given the breadth of statutory power given to US government agencies under FISA, EO 12333 and the USA FREEDOM Act, it is not yet clear whether these developments will lead to fundamental changes in the short-to-medium term. However, the continuing public spotlight and ongoing political and legislative debate surrounding these issues will no doubt help in securing greater accountability and legal safeguards for future citizens. Non-US citizens should consider too the foreign intelligence practices carried out by governments in their own jurisdiction. The spotlight may be on the US at the moment, but mass data collection by governments in the name of national security is a practice that pervades government agencies the world over.

US intelligence gathering – comparison table

What kind of data is covered?

Threshold requirement

Court order required?

s.702 FISA Amendments Act

Metadata and actual content of communications through compelled assistance of electronic communications providers.

Relevant to international terrorism or a clandestine intelligence investigation

No (for non US persons) - individualised court orders not required but court approval needed for program generally and criterion for ongoing collection.

s.215 USA FREEDOM Act of 2015

Records or other tangible thing (telephone metadata only)

Relates to individual allegedly connected to an international terrorist group or foreign power. Government agency must include a "specific selection term" in request.

No (for non-US persons) - individualised court orders not required but court approval needed for program and criteria for ongoing collection.

[1] "Foreign intelligence information" is defined as information that relates to the ability of the USA to protect against attack, sabotage, international terrorism, international proliferation of weapons of mass destruction, clandestine intelligence activities, and any information with respect to a foreign power or foreign territory relating to national defense, national security, or the conduct of foreign affairs.

[2] "The US surveillance programmes and their impact on EU citizens' fundamental rights", Directorate-General for Internal Policies of the European Parliament, PE 474.405 (p.19)